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Abstract. When dealing with linear temporal logic properties in the 
setting of e.g. games or probabilistic systems, one often needs to express 
them as deterministic omega-automata. In order to translate LTL to de- 
terministic omega-automata, the traditional approach first translates the 
formula to a non-deterministic Biichi automaton. Then a determiniza- 
tion procedure such as of Safra is performed yielding a deterministic 
w-automaton. We present a direct translation of the (F,G)-fragment of 
LTL into deterministic w-automata with no determinization procedure 
involved. Since our approach is tailored to LTL, we often avoid the typ- 
ically unnecessarily large blowup caused by general determinization al- 
gorithms. We investigate the complexity of this translation and provide 
experimental results and compare them to the traditional method. 



1 Introduction 

The w-regular languages play a crucial role in formal verification of linear time 
properties, both from a theoretical and a practical point of view. For model- 
checking purposes one can comfortably represent them using nondeterministic 
Biichi automata (NBW), since one only needs to check emptiness of the in- 
tersection of two NBWs corresponding to the system and the negation of the 
property, and NBWs are closed under intersection. However, two increasingly 
important problems require to represent w-regular languages by means of de- 
terministic automata. The first one is synthesis of reactive modules for LTL 
specifications, which was theoretically solved by Pnueli and Rosner more than 
20 years ago |PR88j . but is recently receiving a lot of attention (see the refer- 
ences below). The second one is model checking Markov decision processes (see 
e.g. [BK08) L where impressive advances in algorithmic development and tool 
support are quickly extending the range of applications. 

It is well known that NBWs are strictly more expressive then their deter- 
ministic counterpart, and so cannot be determinizcd. The standard theoretical 
solution to this problem is to translate NBW into deterministic Rabin automata 
(DRW) using Safra's construction |Saf88] or a recent improvement by Piterman 
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|Pit06j . However, it is commonly accepted that Safra's construction is difficult 
to handle algorithmically due to its "messy state space" |Kupl2| . Many pos- 
sible strategies for solving this problem have been investigated. A first one is 
to avoid Safra's construction altogether. A Safraless approach that reduces the 
synthesis problem to emptiness of nondeterministic Biichi tree automata has 
been proposed in [KV05 KPV06 . The approach has had considerable success, 
and has been implemented in [JB06 . Another strategy is to use heuristics to 
improve Safra's construction, a path that has been followed in [KB06 KB07 
and has produced the ltl2dstar tool |Klej . Finally, a third strategy is to search 
for more efficient or simpler algorithms for subclasses of w-regular languages. 
A natural choice is to investigate classes of LTL formulas. While LTL is not as 
expressive as NBW, the complexity of the translation of LTL to DRW still has 
2 2 ° { ' complexity [KRlOj . However, the structure of NBWs for LTL formulas 
can be exploited to construct a symbolic description of a deterministic parity 
automaton |MS08j . Fragments of LTL have also been studied. In )AT04j , single 
exponential translations for some simple fragments are presented. Piterman et 
al. propose in [PPS06] a construction for reactivity(l) formulas that produces 
in cubic time a symbolic representation of the automaton. The construction has 
been implemented in the ANZU tool [JGWB07] . 

Despite this impressive body of work, the problem cannot yet be consid- 
ered solved. This is particularly so for applications to probabilistic model check- 
ing. Since probabilistic model checkers need to deal with linear arithmetic, they 
profit much less from sophisticated symbolic representations like those used in 
[PPS06 MS08 , or from the Safraless approach which requires to use tree au- 
tomata. In fact, to the best of our knowledge no work has been done so far in 
this direction. The most successful approach so far is the one followed by the 
ltl2dstar tool, which explicitly constructs a reduced DRW. In particular, the 
ltl2dstar has been reimplemented in PRISM |KNPllj . the leading probabilistic 
model checker. 

However, the work carried in KB06 KB07 has not considered the devel- 
opment of specific algorithms for fragments of LTL. This is the question we 
investigate in this paper: is it possible to improve on the results of ltl2dstar 
by restricting attention to a subset of LTL? We give an affirmative answer by 
providing a very simple construction for the (F,G)-fragment of LTL, i.e., the 
fragment generated by boolean operations and the temporal operators F and 
G. Our construction is still double exponential in the worst case, but is algo- 
rithmically very simple. We construct a deterministic Muller automaton for a 
formula ip of the fragment with a very simple state space: boolean combinations 
of formulas of the closure of ip. This makes the construction very suitable for 
applying reductions based on logical equivalences: whenever some logical rule 
shows that two states are logically equivalent, they can be merged. (This fact 
is also crucial for the success of the constructions from LTL to NBW.) Since 
the number of Muller accepting sets can be very large, we also show that the 
Muller condition of our automata admits a compact representation as a gener- 
alized Rabin acceptance condition. We also show how to efficiently transform 



this automaton to a standard Rabin automaton. Finally, we report on an im- 
plementation of the construction, and present a comparison with ltl2dstar. We 
show that our construction leads to substantially smaller automata for formulas 
expressing typical fairness conditions, which play a very important role in proba- 
bilistic model checking. For instance, while ltl2dstar produces an automaton with 
over one million states for the formula /\^ =1 (GFa i — > GF&j), our construction 
delivers an automaton with 1560 states. 



2 Linear Temporal Logic 

This section recalls the notion of linear temporal logic (LTL) |Pnu77j . 

Definition 1 (LTL Syntax). The formulae of the (F ,G)- fragment of linear 
temporal logic are given by the following syntax: 

<p ::= al-ial^Ac^l^V^I Fip | Gip 

where a ranges over a finite fixed set Ap of atomic propositions. 

We use the standard abbreviations tt := a V -m, ff; = aA ->a. We only have 
negations of atomic propositions, as negations can be pushed inside due to the 
equivalence of Fip and -<G-<(p. 

Definition 2 (LTL Semantics). Let w G (2 Ap ) u be a word. The ith letter of 
w is denoted w[i], i.e. w = w[0]w[l] ■ ■ ■ . Further, we define the ith suffix of w as 
Wi — w[i]w[i + l] ■ ■ ■ . The semantics of a formula on w is then defined inductively 
as follows: 

w \= a a 6 w[0] 

w \= <S=> a £ w[0] 

w \= ip A tp <S=> w \= Lp and w j= ip 

to |= ip V ip w \= ip or w \= ip 

to |= Fip ^==> 3 k E N : w k \= <p 

w\=G(f V k e N : w k \= if 

We define a symbolic one-step unfolding il of a formula inductively by the 
following rules, where the symbol X intuitively corresponds to the meaning of 
the standard next operator. 

11(a) = a 
lt(->a) = 
U(<pAip) =!%?) Ail(^) 
i%> V V) =i%0 Vil(^) 
U(F^) = U(<p) V XFip 
il{Gcp) = 1%) A XGip 



Example 3. Consider ip = FaAGFb. ThenH(<^>) = (aVXFa) A(6VXF6) AXGFfo. 



3 Deterministic Automaton for the (F,G)-fragment 



Let ip be an arbitrary but fixed formula. In the following, we construct a deter- 
ministic finite w-automaton that recognizes the words satisfying tp. The definition 
of the acceptance condition and its variants follow in the subsequent sections. 
We start with a construction of the state space. The idea is that a state cor- 
responds to a formula that needs to be satisfied when coming into this state. 
After evaluating the formulae on the propositions currently read, the next state 
will be given by what remains in the one-step unfold of the formula. E.g. for 
Example 131 and reading a, the successor state needs to satisfy Fb A GFb. 

In the classical syntactic model constructions, the states are usually given by 
sets of subformulae of tp. This corresponds to the conjunction of these subformu- 
lae. The main difference in our approach is the use of both conjunctions and also 
disjunctions that allow us to dispose of non-determinism in the corresponding 
transition function. In order to formalize this, we need some notation. 

Let F and G denote the set of all subformulae of tp of the form Ftp and 
Gip, respectively. Further, all temporal subformulae are denoted by a shorthand 
T := F U G. Finally, for a set of formulae W, we denote := {Xip | ip G <S>}. 

We denote the closure of tp by C(p) := ApU{-<a \ a G Ap}UXT. TheniX(^) is 
a positive Boolean combination over C((p). By states(</?) we denote the set 2 2 <v> . 
Each element of states(y) is a positive Boolean function over C(tp) and we often 
use a positive Boolean formula as its representative. For instance, the definition 
of it is clearly independent of the choice of representative, hence we abuse the 
notation and apply il to elements of states(<p). Note that | states(<p)| G C(2 2 ' vl ) 
where \ip\ denotes the length of tp. 

Our state space has two components. Beside the logical component, we also 
keep track of one-step history of the word read. We usually use letters ip, \ when 
speaking about the former component and a, /3 for the latter one. 

Definition 4. Given a formula tp, we define A(<p) — (Q,i,S) to be a determin- 
istic finite automaton over S — 2 Ap given by 



6={(i,a,(tt{<p),a)) | a G £}L){((ip,a), [3, (succ(ip,a), [3)) \ (V>,a> gQ,/?g£} 



where succ( , 0, a) = il(next(^[a \-> tt, Ap \ a t-> &]) where next(i//) removes 
X 's from ip 1 and ip[T i->- tt, F i-> ff] denotes the equivalence class of formulae 
where in ip we substitute tt for all elements of T and ff for all elements of 
F. 

Intuitively, a state {tp, a) of Q corresponds to the situation where ip needs to be 
satisfied and a is being read. 




Example 5. The automaton for Fa with Ap = {a} is depicted in the following 
figure. The automaton is obviously unnecessarily large, one can expect to merge 
e.g. the two states bearing the requirement tt as the proposition a is irrelevant 
for satisfaction of tt that does not even contain it. For the sake of simplicity, we 
leave all possible combinations here and comment on this in Section [8] 



start 




The reader might be surprised or even annoyed by the fact that the logical 
structure of the state space is not sufficient to keep enough information to decide 
whether a run p is accepting. In order to ensure this, we remember one-step 
history in the state. Why is that? Consider ip = GF(a A F6). Its unfold is then 

XGF(a A Fb) A fxF(o A Fb) V (a A (6 V XFfe))) (*) 

Then moving under {a} results into the requirement GF(aAF6)A(F(aAF6)VF6) 
for the next step where the alternative of pure Fb signals progress made by not 
having to wait for an a. Nevertheless, the unfold of this formula is propositionally 
equivalent to (*). This is indeed correct as the two formulae are temporally 
equivalent (i.e. in LTL semantics). Thus, the information about the read a is not 
kept in the state and the information about this partial progress is lost! And 
now the next step under both {b} and again lead to the same requirement 
GF(a A F6) A F(a A Fb). Therefore, there is no information that if b is read, 
then it can be matched with the previous a and we already have one satisfaction 
of (infinitely many required satisfactions of) F(a A Fb) compared to reading 0. 
Hence, the runs on ({a}{o}) w and ({a}0)" are the same while the former should 
be accepting and the latter rejecting. However, this can be fixed by remembering 
the one-step history and using the acceptance condition defined in the following 
section. 



4 Muller Acceptance Condition 

In this section, we introduce a Muller acceptance condition. In general, the num- 
ber of sets in a Muller condition can be exponentially larger than the size of the 
automaton. Therefore, we investigate the particular structure of the condition. In 
the next section, we provide a much more compact whilst still useful description 
of the condition. Before giving the formal definition, let us show an example. 



Example 6. Let <p = F(GaVG6). The corresponding automaton is depicted be- 
low, for clarity, we omit the initial state. Observe that the formula stays the same 
and the only part that changes is the letter currently read that we remember 
in the state. The reason why is that <p can neither fail in finite time (there is 
always time to fulfill it), nor can be partially satisfied (no progress counts in this 
formula, only the infinite suffix). However, at some finite time the argument of 
F needs to be satisfied. Although we cannot know when and whether due to Ga 
or Gb, we know it is due to one of these (or both) happening. Thus we may shift 
the non-determinism to the acceptance condition, which says here: accept if the 
states where a holds are ultimately never left, or the same happens for b. The 
commitment to e.g. ultimately satisfying Ga can then be proved by checking 
that all infinitely often visited states read a. 
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We now formalize this idea. Let <p be a formula and A.(tp) = (Q, i, S) its corre- 
sponding automaton. Consider a formula x as a Boolean function over elements 
of C(ip). For sets T, F C C(ip), let x[T >->■ tt, F (-)• ff] denote the formula where tt 
is substituted for elements of T, and ff for F. As elements of C(ip) are considered 
to be atomic expressions here, the substitution is only done on the propositional 
level and does not go through the modality, e.g. (aVXGa)[a — > ff] = ff VXGa, 
which is equivalent to XGa in the propositional semantics. 

Further, for a formula \ an d ot G S and I C T, we put I \= a \ to denote 
that 

x[aU7 i-> tt, Ap\a i-> ff] 

is equivalent to tt in the propositional semantics. We use this notation to describe 
that we rely on a commitment to satisfy all formulae of I. 

Definition 7 (Muller acceptance). A set M C Q is Muller accepting for a 
set I C T if the following is satisfied: 

1. for each {\, a) G M, we have XI |= Q \, 

2. for each Ftp G I there is (x, a) G M with I \= a tjj, 

3. for each Gtp G I and for each (\, a) G M we have I \= a ip. 

A set F C Q is Muller accepting (for ip) if it is Muller accepting for some I C T. 



The first condition ensures that the commitment to formulae in / being 
ultimately satisfied infinitely often is enough to satisfy the requirements. The 
second one guarantees that each F-formula is unfolded only finitely often and 
then satisfied, while the third one guarantees that G-formulae indeed ultimately 
hold. Note that it may be impossible to see the satisfaction of a formula directly 
and one must rely on further promises, formulae of smaller size. In the end, 
promising the atomic proposition is not necessary and is proven directly from 
the second component of the state space. 

4.1 Correctness 

Given a formula tp, we have defined a Muller automaton A(p) and we let the 
acceptance condition M(<p) = {Mi, . . . , Mk} be given by all the Muller accepting 
sets Mi for p. Every word w : N -> 2 a p induces a run p = A((p)(w) : N — > Q 
starting in i and following S. The run is thus accepting and the word is accepted 
if the set of states visited infinitely often Inf (p) is Muller accepting for p. Vice 
versa, a run p = c*i)(X2, 02) • • • induces a word Ap(p) — ct\cti ■ ■ ■ . We now 
prove that this acceptance condition is sound and complete. 

Theorem 8. Let p> be a formula and w a word. Then w is accepted by the 
deterministic automaton A(p) with the Muller condition A4(p) if and only if 
w \= ip. 

We start by proving that the first component of the state space takes care of 
all progress or failure in finite time. 

Proposition 9 (Local (finitary) correctness). Let w be a word and A(p)(w) = 
i{Xo, Oio)(xi, oil) ■ ■ • the corresponding run. Then for all n £ N, we have w \= ip 
if and only if w n \= Xn ■ 

Proof (Sketch). The one-step unfold produces a temporally equivalent (w.r.t. LTL 
satisfaction) formula. The unfold is a Boolean function over atomic propositions 
and elements of XT. Therefore, this unfold is satisfied if and only if the next 
state satisfies next(V') where is the result of partial application of the Boolean 
function to the currently read letter of the word. We conclude by induction. □ 

Further, each occurrence of satisfaction of F must happen in finite time. As 
a consequence, a run with Xi ^ ff is rejecting if and only if satisfaction of some 
Ftp is always postponed. 

Proposition 10 (Completeness). If w \= p then Inf (A(p)(w)) is a Muller 
accepting set. 

Proof. Let us show that M := Inf (A(<p)(w)) is Muller accepting for 
I := {V e F I w \= GV>} U {V G G I w \= F^} 

As a technical device we use the following. For every finite Boolean combina- 
tion ip of elements of the closure C, there are only finitely many options to satisfy 



it, each corresponding to a subset of C. Therefore, if ix>i \= ip for infinitely many 
i eN then at least one of the options has to recur. More precisely, for some sub- 
set a C Ap there are infinitely many i £ N with Wi ^i/)UaU{^o | a G Ap \ a}. 
For each such a we pick one subset I XtCt C T such that for infinitely many i, 
after reading w l = w[0) ■ ■ ■ w[i] we are in state (x, a) and Wi \= ip U X/ XjQ ,, and 
Ix-a ty- We say that we have a recurring set I x a modelling ip (for a state 
(x, a) ). Obviously, the recurring sets for all states are included in /, i.e. I xa C / 
for every (x, a) £ Q. 

Let us now proceed with proving the three conditions of Definition [7] for M 
and I. 

Condition 1. Let (x, ot) £ M. Since w \= ip, by PropositionOw; |= x whenever 
we enter (x, a) after reading w l , which happens for infinitely many i G N. Hence 
we have a recurring set / XjCe modelling \. Since I x ^ a \= a x, we get also I \= a \ 
by I x , a C I. 

Condition 2. Let Ftp £ I, then w |= GP^i. Since there are finitely many 
states, there is (x, a) € M for which after infinitely many entrances by w l it 
holds uii |= ip by Proposition [5J hence we have a recurring set I % a modelling tp 
and conclude as above. 

Condition 3. Let Gtp £ I, then w \= FGip. Hence for every (x, a) £ M 
infinitely many w l leading to (x, ot) satisfy Wi \= ip by Proposition [5J hence we 
have a recurring set / XjQ modelling ip and conclude as above. □ 

Before proving the opposite direction of the theorem, we provide a property 
of Muller accepting sets opposite to the previous proposition. 

Lemma 11. Let p be a run. //Inf (p) is Muller accepting for I then Ap(p) (= Gtp 
for each %p £ I n F and Ap(p) |= F?/> for each ip G / C G. 

Proof. Denote w = ^4p(p). Let us first assume ^ G / flF and w, ^= ip for 
all j > i e N. Since ip G / PI F, for infinitely many j, p passes through some 
(x, a) G Inf(p) for which / \= a ip. Hence, there is ipi G / which is a subformula 
of ?/> such that for infinitely many i, Wi \/= ip±. If ip\ £ F, we proceed as above; 
similarly for tpi £ G. Since we always get a smaller subformula, at some point 
we obtain either tp n = F/3 or ip n — G/3 with j3 a Boolean combination over Ap 
and we get a contradiction with the second or the third point of Definition [3 
respectively. □ 

In other words, if we have a Muller accepting set for / then all elements of I 
hold true in Wi for almost all i. 

Proposition 12 (Soundness). // Inf (A(ip)(w)) is a Muller accepting set then 
w |= ip. 

Proof. Let M := Ini(A(<p)(w)) be a Muller accepting set for some /. There is 
i £ N such that after reading w l we come to (x, a) and stay in Inf (A(tp)(w)) from 
now on and, moreover, Wi |= ip for all ip G / by Lemma [TT] For a contradiction, 
let w J£ cp. By Proposition [5] we thus get Wi ^= x- By the first condition of 
Definition we get / |= Q x- Therefore, there is ip € I such that Wi ^= ip, a 
contradiction. □ 



5 Generalized Rabin Condition 



In this section, we investigate the structure of the previously defined Muller 
condition and propose a new type of acceptance condition that compactly, yet 
reasonably explicitly captures the accepting sets. 

Let us first consider a fixed JCT and examine all Muller accepting sets for /. 
The first condition of Definition [7] requires not to leave the set of states {{Xi a I 
I Ha x)}- Similarly, the third condition is a conjunction of |JnG| conditions not 
to leave sets {(x, a) | I \= a ip} for each Gtp £ I. Both conditions thus together 
require that certain set (complement of the intersection of the above sets) is 
visited only finitely often. On the other hand, the second condition requires to 
visit certain sets infinitely often. Indeed, for each the set {(%, a) \ I \= a ip} 
must be visited infinitely often. 

Furthermore, a set is accepting if the conditions above hold for some set /. 
Hence, the acceptance condition can now be expressed as a positive Boolean 
combination over Rabin pairs in a similar way as the standard Rabin condition 
is a disjunction of Rabin pairs. 

Example 13. Let us consider the (strong) fairness constraint ip — FGa V GFb. 
Since each atomic proposition has both F and G as ancestors in the syntactic 
tree, it is easy to see that there is only one reachable element of states(^) and 
the state space of A is {i} U 2^' b \ i.e. of size 1 + 2 2 = 5. Furthermore, the 
syntactic tree of il(<p) = XFGa V (XGa A a) V (XGF6 A (XFb V b)) immediately 
determines possible sets /. These either contain Ga (possibly with also FGa or 
some other elements) or GFb, Fb. The first option generates the requirement to 
visit states with ->a only finitely often, the second one to visit b infinitely often. 
Thus the condition can be written as 

({ g | 9 h-4>Q)v(M?l?h* 

and is in fact a Rabin acceptance condition. 

We formalize this new type of acceptance condition as follows. 

Definition 14 (Generalized Rabin Automaton). A generalized Rabin au- 
tomaton is a (deterministic) uj-automaton A = (Q,i,5) over some alphabet S, 
where Q is a set of states, i is the initial state, 6 : Q x U — » Q is a transition 
function, together with a generalized Rabin condition Q1Z £ B + (2^ x 2**). A run 
p of A is accepting if Inf (p) |= Q1Z, which is defined inductively as follows: 

Inf(p) |= tp A ip <S=> Inf(p) |= ip and Inf (p) \= ip 

Inf(p) |= tp V ip Lif(p) |= f or Inf (p) |= ip 

Inf (p) \=(F,I) ^ Ffl Inf (p) = and I n Inf (p) ^ 

The generalized Rabin condition corresponding to the previously defined 
Muller condition M. can now be formalized as follows. 



Definition 15 (Generalized Rabin Acceptance). Let tp be a formula. The 
generalized Rabin condition QlZ(<p) is 



V [({(x,a)\l£ aX A A ^}'Q) A A (0,{(X,«)|/K^}) 

ICT V G-4i<=I Flj£I 

By the argumentation above, we get the equivalence of the Muller and the 
generalized Rabin conditions for tp and thus the following. 

Proposition 16. Let if be a formula and w a word. Then w is accepted by the 
deterministic automaton A(tp) with the generalized Rabin condition Q1Z(tp) if 
and only if w \= tp. 

Example 1 7. Let us consider a conjunction of two (strong) fairness constraints 
tp — (FGa V GF6) A (FGc V GFd). Since each atomic proposition is wrapped 
in either FG or GF, there is again only one relevant element of states(y) and 
the state space of A is {i} U 2^ a ' b ' c ' d \ i.e. of size 1 + 2 4 = 17. From the previous 
example, we already know the disjunctions correspond to (->a, Q) V (0, b) and 
(-ic, Q) V (0,d). Thus for the whole conjunction, we get a generalized Rabin 
condition 

((-.o,Q)V(0,&))a((-.cQ)V(M) 
6 Rabin Condition 

In this section, we briefly describe how to obtain a Rabin automaton from A(tp) 
and the generalized Rabin condition QTZ(tp) of Definition [15] For a fixed /, the 
whole conjunction of Definition [15] corresponds to the intersection of automata 
with different Rabin conditions. In order to obtain the intersection, one has first 
to construct the product of the automata, which in this case is still the original 
automaton with the state space Q, as they are all the same. Further, satisfying 

(G, Q) A A ( ' F /) 

feF—irtF 

amounts to visiting G only finitely often and each Ff infinitely often. To check 
the latter (for a non-empty conjunction), it is sufficient to multiply the state 
space by T with the standard trick that we leave the /th copy once we visit Ff 
and immediately go to the next copy. The resulting Rabin pair is thus 

(GxJ,Fjx{/}) 

for an arbitrary fixed / S T. 

As for the disjunction, Rabin condition is closed under it as it simply takes 
the union of the pairs when the two automata have the same state space. In our 
case, one can multiply the state space of each disjunct corresponding to I by all 



J n F for each J s 2 T \ { 1} to get the same state space for all of them. We thus 
get a bound for the state space 

IJl-rnFi-lQl 

JCT 

Example 18. The construction of Definition 1151 for the two fairness constraints 
Example [17] yields 

(^a V -.c, Q) V (-a, d) V (-.c, 6) V ((0, b) A (0, d)) 

where we omitted all pairs (F, I) for which we already have a pair (F' , /') with 
F <Z F 1 and I D I'. One can eliminate the conjunction as described above at the 
cost of multiplying the state space by two. The corresponding Rabin automaton 
thus has 2 • 1 • \{i} U 2 a p\ = 34 states. (Of course, for instance the initial state 
need not be duplicated, but for the sake of simplicity of the construction we 
avoid any optimizations.) 

For a conjunction of three conditions, (p = (FGa V GFb) A (FGc V GFd) A 
(FGeVGF/), the right components of the Rabin pairs correspond to tt, b, d, /, bA 
d,b A f ,d A f ,b A d A f . The multiplication factor to obtain a Rabin automaton 
is thus 2 • 2 • 2 • 3 = 24 and the state space is of the size 24 • 1 • (1 + 2 6 ) = 1560. 

7 Complexity 

In this section, we summarize the theoretical complexity bounds we have ob- 
tained. 

The traditional approach first translates the formula ip of length n into a 
non-deterministic automaton of size 0(2 n ). Then the determinization follows. 
The construction of Safra has the complexity mP^ m ^ where m is the size of the 
input automaton [Saf88 . This is in general optimal. The overall complexity is 
thus 

071-0(2") _ 20(2" +log ") 

The recent lower bound for the whole LTL is 2 2 " < " ) |KR10j . However, to be more 
precise, the example is of size less than 2°( 2 >. Hence, there is a small gap. To 
the authors' best knowledge, there is no better upper bound when restricting to 
automata arising from LTL formulae or from the full (F,G)-fragment. (There 
are results on smaller fragments |AT04j though.) We tighten this gap slightly as 
shown below. Further, note that the number of Rabin pairs is 0(m) — 0(2 n ), 
Our construction first produces a Muller automaton of size 

0(2 2 ' T| • 2l Ap l) = e>(2 2 " + ™) C 2°( 2 ") 

which is strictly less than in the traditional approach. Moreover, as already 
discussed in Example Q21 one can consider an "infinitary" fragment where every 
atomic proposition has in the syntactic tree both Fand Gas some ancestors. 
In this fragment, the state space of the Muller/generalized Rabin automaton 



is simply 2 Ap (when omitting the initial state) as for all a C Ap, we have 
succ(y, a) = ip. This is useful, since for e.g. fairness constraints our procedure 
yields exponentially smaller automaton. 

Although the size of the Muller acceptance condition can be potentially expo- 
nentially larger than the state space, we have shown it can be compactly written 
as a disjunction of up to 2™ of conjunctions each of size at most n. 

Moreover, using the intersection procedure we obtain a Rabin automaton 
with the upper bound on the state space 

|F| 2 ' T| • \Q\ e n 2 " • 2°( 2 ") - 2 c, ( 1 °s"- 2 ") = 2 °( 2 " +l0El0g ") C 2 °( 2 " +1 ° E ") 

thus slightly improving the upper bound. Further, each conjunction is trans- 
formed into one pair, we are thus left with at most 2l T l e 0(2") Rabin pairs. 

8 Experimental Results and Evaluation 

We have implemented the construction of the state space of A(<p) described 
above. Further, Definition 1 1 5 1 then provides a way to compute the multiplication 
factor needed in order to get the Rabin automaton. We compare the sizes of this 
generalized Rabin automaton and Rabin automaton with the Rabin automaton 
produced by ltl2dstar. Ltl2dstar first calls an external translator from LTL to 
non-deterministic Biichi automata. In our experiments, it is LTL2BA [GOOlj 
recommended by the authors of ltl2dstar. Then it performs Safra's determiniza- 
tion. Ltl2dstar implements several optimizations of Safra's construction. The 
optimizations shrink the state space by factor of 5 (saving 79.7% on average on 
the formulae considered here) to 10 (89.7% on random formulae) }KB06j . Our 
implementation does not perform any ad hoc optimization, since we want to eval- 
uate whether the basic idea of the Safraless construction is already competitive. 
The only optimizations done are the following. 

— Only the reachable part of the state space is generated. 

— Only atomic propositions relevant in each state are considered. In a state 
(x, a), a is not relevant if \[a \-t tt] = x[ a m- ff], i.e. if for every valuation, 
X has the same value no matter which value a takes. For instance, let Ap = 
{a, b} and consider x = U(Fo) = Fa V a. Then instead of having four copies 
(for 0, {a}, {&}, {a, &}), there are only two for the sets of valuations {0, {&}} 
and {{a}, {a, b}}. For its successor tt, we only have one copy standing for 
the whole set {0, {a}, {&}, {a, b}}. 

— Definition [T5l takes a disjunction over / £ 2 T . If I C I' but the set of states 
(x, a) with / 1=0, x an d I' N« X are the same, it is enough to consider 
the disjunct for I only. E.g. for U(G(F<z V Fb)), we only consider / either 
{G(Fa V F6), Fa} or {G(Fa V F6), Fb}, but not their union. 

This is an instance of a more general simplification. For a conjunction of 
pairs (Fi,ii) A (i^,^) with I\ C I 2 , there is a single equivalent condition 
(F 1 UF 2 ,I 1 ). 



Table [T] shows the results on formulae from BEEM (BEnchmarks for Ex- 
plicit Model checkers) |Pel07j and formulae from [SBOOj on which ltl2dstar was 
originally tested |KB06j . In both cases, we only take formulae of the (F,G)- 
fragment. In the first case this is 11 out of 20, in the second 12 out of 28. There 
is a slight overlap between the two sets. Further, we add conjunctions of strong 
fairness conditions and a few other formulae. For each formula <p, we give the 
number |states(y)| of distinct states w.r.t. the first (logical) component. The 
overall number of states of the Muller or generalized Rabin automaton follows. 
The respective runtimes are not listed as they were less than a second for all 
listed formulae, with the exception of the fifth formula from the bottom where 
it needed 3 minutes (here ltl2dstar needed more than one day to compute the 
Rabin automaton). In the column Q1Z- factor, we describe the complexity of the 
generalized Rabin condition, i.e. the number of copies of the state space that are 
created to obtain an equivalent Rabin automaton, whose size is thus bounded 
from above by the column Rabin. The last column states the size of the state 
space of the Rabin automaton generated by ltl2dstar using LTL2BA. 



Table 1. Experimental comparison to ltl2dstar on formulae of |Pel07] . [SB00] . fairness 
constraints and some other examples of formulae of the "infinitary" fragment 



Formula 


states 


Muller/GR 


t/7£-factor 


Rabin 


ltl2dstar 


G(aVFo) 


2 


5 


1 


5 


4 


FGa VFGoV GFc 


1 


9 


1 


9 


36 


F(aV6) 


2 


4 


1 


4 


2 


GF(a V b) 


1 


3 


1 


3 


4 


G(aVoVc) 


2 


4 


1 


4 


3 


G(a V F6) 


2 


5 


1 


5 


4 


G(aVF(6Vc)) 


2 


5 


1 


5 


4 


FaVGo 


3 


7 


1 


7 


5 


G(aVF(6Ac)) 


2 


5 


1 


5 


4 


(FGo V GFb) 


1 


5 


1 


5 


12 


GF(a V b) A GF(fe V c) 


1 


5 


2 


10 


12 


(FFa A G^a) V (GG^a A Fa) 


2 


4 


1 


4 


1 


(GFa) A FGo 


1 


5 


1 


5 


7 


(GFa A FG6) V (FG^a A -.&) 


1 


5 


1 


5 


14 


FGo A GFa 


1 


3 


1 


3 


3 


G(FaAFb) 


1 


5 


2 


10 


5 


Fa A F6 


4 


8 


1 


8 


4 


(G(& V GFa) A G(c V GF^a)) VGdVGc 


4 


18 


2 


36 


26 


(G(b V FGa) A G(c V FG^a)) V G6 V Gc 


4 


18 


1 


18 


29 


(F(& A FGa) V F(c A FG^a)) A F6 A Fc 


4 


18 


1 


18 


8 


(F(6 A GFa) V F(c A GF^a)) A F6 A Fc 


4 


18 


1 


18 


45 


(FGa V GF6) 


1 


5 


1 


5 


12 


(FGa V GF6) A (FGc V GFd) 


1 


17 


2 


34 


17527 


At n (GFa, -> GF6j) 


1 


65 


24 


1560 


1 304 706 


(Ati GFa,) -»■ GF6 


1 


65 


1 


65 


972 


GF(FaGF6FG(a V 6)) 


1 


5 


1 


5 


159 


FG(Fa V GF6 V FG(a V 6)) 


1 


5 


1 


5 


2918 


FG(Fa V GF6 V FG(a V b) V FG6) 


1 


5 


1 


5 


4516 



While the advantages of our approach over the general determinization are 
clear for the infinitary fragment, there seem to be some drawbacks when "Uni- 
tary" behaviour is present, i.e. behaviour that can be satisfied or disproved after 
finitely many steps. The reason and the patch for this are the following. Consider 
the formula Fa and its automaton from Example [5] Observe that one can easily 
collapse the automaton to the size of only 2. The problem is that some states 
such as (a V XFa, {a}) are only "passed through" and are equivalent to some 
of their successors, here (tt, {a}). However, we may safely perform the following 
collapse. Whenever two states (x, a), (x' , a) satisfy that x[ a tt, Ap \ a i->- fF] 
is propositionally equivalent to x'[ a ^ tt, Ap \ a i— > ff] we may safely merge the 
states as they have the same properties: they are bisimilar with the same set of 
atomic propositions satisfied. Using these optimizations, e.g. the automaton for 
Fa A Fb has size 4 as the one produced by ltl2dstar. 

Next important observation is that the blow-up from generalized Rabin to 
Rabin automaton (see the column QlZ-i&ctor) corresponds to the number of 
elements of F that have a descendant or an ancestor in G and are combined with 
conjunction. This follows directly from the transformation described in Section[B] 
and is illustrated in the table. 

Thus, we may conclude that our approach is competitive to the determiniza- 
tion approach and for some classes of useful properties such as fairness con- 
straints or generally the infinitary properties it shows significant advantages. 
Firstly, the state space of the Rabin automaton is noticeably smaller. Secondly, 
compact generalized Rabin automata tend to be small even for more complex 
formulae. Thirdly, the state spaces of our automata have a clear structure to be 
exploited for further possible optimizations, which is more difficult in the case 
of determinization. In short, the state space is less "messy" . 

9 Discussion on Extensions 

Our approach seems to be extensible to the (X,F,G)-fragment. In this setting, 
instead of remembering the one-step history one needs to remember n last steps 
(or have a n-step look-ahead) in order to deal with formulae such as GF(aAXfe). 
Indeed, the acceptance condition requires to visit infinitely often a state provably 
satisfying a A X6. This can be done by remembering the last n symbols read, 
where n can be chosen to be the nesting depth of Xs. We have not presented 
this extension mainly for the sake of clarity of the construction. 

Further, one could handle the positive (X,U)-fragment, where only atomic 
propositions may be negated as defined above. These formulae are purely "Uni- 
tary" and the logical component of the state space is sufficient. Indeed, the 
automaton simply accepts if and only if tt is reached and there is no need to 
check any formulae that we had committed to. 

For the (U,G)-fragment or the whole LTL, our approach would need to be 
significantly enriched as the state space (and last n symbols read) is not sufficient 
to keep enough information to decide whether a run p is accepting only based on 
Inf(p). Indeed, consider a formula <p — GF(aAoUc). Then reading {a, b} results 



in the requirement GF(a A bXJc) A (F(a A bXJc) V (bXJc)) which is, however, 
temporally equivalent to ip (their unfolds are propositionally equivalent). Thus, 
runs on ({a, 6}{c}0)" and ({a, 6}0{c}) w have the same set of infinitely often 
visited states. Hence, the order of visiting the states matters and one needs the 
history. However, words such as ({a, b}{b} n {c}) ul vs. ({b} n {c}) u show that more 
complicated structure is needed than last n letters. The conjecture that this 
approach is extensible to the whole LTL is left open and considered for future 
work. 

10 Conclusions 

We have shown a direct translation of the LTL fragment with operators F and 
G to deterministic automata. This translation has several advantages compared 
to the traditional way that goes via non-deterministic Biichi automata and then 
performs determinization. First of all, in our opinion it is a lot simpler than the 
determinization and its various non-trivial optimizations. Secondly, the state 
space has a clear logical structure. Therefore, any work with the automata or 
further optimizations seem to be conceptually easier. Moreover, many optimiza- 
tions are actually done by the logic itself. Indeed, logical equivalence of the 
formulae helps to shrink the state space with no further effort. In a sense, the 
logical part of a state contains precisely the information that the semantics of 
LTL dictates, see Proposition [9l Thirdly, the state space is — according to the 
experiments — not much bigger even when compared to already optimized de- 
terminization. Moreover, very often it is considerably smaller, especially for the 
"infinitary" formulae; in particular, for fairness conditions. Furthermore, we have 
also given a very compact deterministic w-automaton with a small and in our 
opinion reasonably simple generalized Rabin acceptance condition. 

Although we presented a possible direction to extend the approach to the 
whole LTL, we leave this problem open and will focus on this in future work. 
Further, since only the obvious optimizations mentioned in Section [5] have been 
implemented so far, there is space for further performance improvements in this 
new approach. 
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